I think I'm OK with adding a low-priority debconf question to disable password authentication. That's a much lower-maintenance solution from my point of view than the various things that have been proposed in the past for disabling the service entirely. The packaged default would be true (i.e. enable password auth), but the server image could preseed it to false.
Regarding socket activation, I'd like to draw your attention to this section from openssh-server's README.Debian file. The bit about MaxStartups explains why I'm unwilling to make this the default on servers:
Per-connection sshd instances with systemd
------------------------------------------
If you want to reconfigure systemd to listen on port 22 itself and launch an
instance of sshd for each connection (inetd-style socket activation), then
you can run:
This may be appropriate in environments where minimal footprint is critical
(e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's
MaxConnections cannot quite replace this as it cannot distinguish between
authenticated and unauthenticated connections; see https://bugzilla.redhat.com/show_bug.cgi?id=963268 for more discussion.
The provided ssh.socket unit file sets ListenStream=22. If you need to have
it listen on a different address or port, then you will need to do this by
copying /lib/systemd/system/ssh.socket to /etc/systemd/system/ssh.socket and
modifying the ListenStream option. See systemd.socket(5) for details.
I think I'm OK with adding a low-priority debconf question to disable password authentication. That's a much lower-maintenance solution from my point of view than the various things that have been proposed in the past for disabling the service entirely. The packaged default would be true (i.e. enable password auth), but the server image could preseed it to false.
Regarding socket activation, I'd like to draw your attention to this section from openssh-server's README.Debian file. The bit about MaxStartups explains why I'm unwilling to make this the default on servers:
Per-connection sshd instances with systemd ------- ------- ------- ------- -------
-------
If you want to reconfigure systemd to listen on port 22 itself and launch an
instance of sshd for each connection (inetd-style socket activation), then
you can run:
systemctl stop ssh.service
systemctl start ssh.socket
To make this permanent:
systemctl disable ssh.service
systemctl enable ssh.socket
This may be appropriate in environments where minimal footprint is critical /bugzilla. redhat. com/show_ bug.cgi? id=963268 for more discussion.
(e.g. cloud guests). Be aware that this bypasses MaxStartups, and systemd's
MaxConnections cannot quite replace this as it cannot distinguish between
authenticated and unauthenticated connections; see
https:/
The provided ssh.socket unit file sets ListenStream=22. If you need to have system/ ssh.socket to /etc/systemd/ system/ ssh.socket and
it listen on a different address or port, then you will need to do this by
copying /lib/systemd/
modifying the ListenStream option. See systemd.socket(5) for details.